Remove Wana Decrypt0r 2.0 Virus and Restore .WNCRY .WCRY Files

Review

Critical

A massive ransomware outbreak spreading the new version of Wana Decrypt0r 2.0, also known as WannaCry ransomware has been recently halted by a malware researcher, called “MalwareTech”. The virus aims to encrypt the files on infected computers and add either the .WNCRY or .WCRY file extensions to them. After the encryption has completed, the ransomware begins to extort victims by dropping a ransom note where it demands around 300 US dollars to be paid to get the files back. Read this article in order to learn how to remove the Wana Decrypt0r virus and restore your files in the event that they have been encrypted by this ransomware.

Wana Decrypt0r 2.0 Ransomware – What Does It Do?

As soon as an infection with this ransomware is already inevitable, the virus may immediately situate it’s payload on the computer of the victim. The payload may be located in several different folders, Incluindo:

%AppData%

%Local%

%LocalLow%

%Roaming%

%Windows%

The virus drops it’s payload in several .DLL and other types of files with the .wnry file extension, each file’s name beggining with a letter, for example a.wnry. Então, the Wana Decrypt0r 2.0 threat begins to modify the Windows Registry Editor:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Strings with data may be created under random names with the location of the virus files.

The Wana Decrypt0r 2.0 ransomware infection is also reported by experts to delete the shadow volume copies and system recovery on Windows machines:

Other activity of the Wana Decrypt0r 2.0 threat is to stop MySQL and other Windows Processes. But this happens only after it has gained Administrative access.

The Wana Decrypt0r 2.0 virus also uses a sophisticated algorithm to encrypt the files on the compromised computer. The ransomware infection scans for the following files in order to encrypt them:

After the files are encrypted, the Wana Decrypt0r 2.0 adds one of these two file extensions after the file names of documents, videos, music files and others on the encrypted computer:

.WNCRY

.WCRY

But this is not all of the activity. The virus also modifies the registry entries to change the wallpaper of the victim to the following image:

The message in it demands from victims to immediately open the @WanaDecrypt0r@.exe file which displays the full ransom note program with a deadline timer that increases the ransom of 300$ if it is not paid in time:

Wana Decrypt0r 2.0 – How Does It Infect?

The infection process of this virus begins with it’s method of spreading. Até agora, this may be via:

E-mail spam messsages.

Fake setups uploaded online.

Via botnets that target organizations.

Whatever the methods may be, one thing is for sure – the hackers behind this virus have exploits from the NSA exploits leak by The Shadow Brokers hacking group, called “Lost in Translation”. These exploits are critical and Microsoft has issued patches for them. All users of Windows operating systems are advised to update. The exploits are reported to be the following:

EASYBEE

EASYPI

EWOKFRENZY

EXPLODINGCAN

ETERNALROMANCE

EDUCATEDSCHOLAR

EMERALDTHREAD

EMPHASISMINE

ENGLISHMANSDENTIST

ERRATICGOPHER

ETERNALSYNERGY

ETERNALBLUE

ETERNALCHAMPION

ESKIMOROLL

ESTEEMAUDIT

ECLIPSEDWING

EXPANDINGPULLEY

GROK

FUZZBUNCH

DOUBLEPULSAR

PASSFREELY

ODDJOB

JEEPFLEA_MARKET

Remove .WNCRY File Virus and Recover Your Files

In order to remove this ransomware infection, you can follow the tutorial below. Be advised that the best removal method according to security researchers is to download an advanced anti-malware product that will help you remove this ransomware infection completely and protect your computer in the future as well.

Whatever the case may be, experts strongly advise against paying the ransom and removing the virus yourself as well as trying to restore the files using other methods, like the ones in the instructions below.

Booting in Safe Mode

For Windows:
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot

Cut out Wana Decrypt0r 2.0 in Task Manager

1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” aba.
3) Locate the malicious process of Wana Decrypt0r 2.0, and end it’s task by right-clicking on it and clicking on “End Process”

Eliminate Wana Decrypt0r 2.0‘s Malicious Registries

For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type Wana Decrypt0r 2.0 or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type Wana Decrypt0r 2.0 Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type Wana Decrypt0r 2.0 in the search field.

Recover files encrypted by the Wana Decrypt0r 2.0 Ransomware.

Method 1:Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.

Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. Contudo, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:

Kaspersky.

Emsisoft.

TrendMicro.

Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: